In the previous blog post, I showed you how to setup Nextcloud on a Pantavisor device. The setup was fairly straight forward, but to use Nextcloud, it needs to be hosted over https for it to connect to Nextcloud server. Unfortunately, the default Docker image of Nextcloud doesn’t have a HTTPS setup and therefor doesn’t work directly with the Nextcloud app.
Note: Check out the new Discussion Forum and community website for Pantavisor Linux at pantavisor.io. You’ll find new tutorials as well as an introduction to Pantabox our front-end for managing Pantavisor Linux locally on the device.
Using NGINX as an https reverse proxy
You can configure NGINX to act as a reverse proxy that will forward all requests to the Nextcloud server. But the following points need to be kept in mind while doing this:
- Forward the request at the root level server block to Nextcloud server.
- Generate a self-signed certificate and key to configure NGINX.
- Increase file size limits so that it’s easier to upload larger files from Nextcloud.
- Configure NGINX to serve content over HTTPS.
Pantavisor allows you configure a platform without having to change the original Docker image. We’ll describe how to use this feature to override NGINX’s default configuration.
NOTE: For steps 1 and 2 below, all content is assumed to be in <prep_dir> , which can be anywhere on your system.
Step 1 – Generate a self-signed certificate
First let’s create content for our self-signed certificate. We’ll create a file named openssl.gen with the following:
[ req ]
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = changeit
[ req_distinguished_name ]
C = IN
ST = Delhi
L = New Delhi
O = Pantahub
OU = Developer
CN = localhost
emailAddress = localhost@local.domain
[ req_attributes ]
challengePassword =Next, create a script to generate the required directory structure and the key-cert.
#!/bin/bash
KEYDIR=etc/ssl/private
KEYNAME=nginx-selfsigned.key
CERTDIR=etc/ssl/certs
CERTNAME=nginx-selfsigned.crt
mkdir -p $KEYDIR
mkdir -p $CERTDIR
openssl req -x509 -nodes -days 365 \
-newkey rsa:4096 -keyout $KEYDIR/$KEYNAME \
-out $CERTDIR/$CERTNAME -config ./openssl.genStep 2 – Create a default configuration for NGINX
Use the following script to generate a NGINX configuration file with the required directory structure that forwards all https traffic to the Nextcloud Pantavisor application
#!/bin/sh
NGINX_CONF_DIR=etc/nginx/conf.d
NGINX_DEFAULT_CONF=default.conf
mkdir -p $NGINX_CONF_DIR
cat <<'EOF' > $NGINX_CONF_DIR/$NGINX_DEFAULT_CONF
server {
listen 8080 default_server;
server_name localhost;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name default_server;
location / {
proxy_buffers 64 4k;
proxy_buffer_size 4k;
proxy_pass http://127.0.0.1/;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_timeout 5m;
client_max_body_size 10G;
}
EOFNOTE : If you’re changing the ssl certificates and key file location in Step 1 then make sure to update the same location in the above script accordingly.
Since Pantavisor runs all containers in the same network namespace you can set proxy_pass to a loopback address. If you’re trying to run it on separate network namespace then instead of 127.0.0.1 you can point it to the IP Address and port of the Nextcloud container that is open to inbound traffic.
NOTE: The steps below need to be done from where you cloned your device.
Step 3 – Move the etc directory in _config
The _config directory allows you to change the configuration of any container running with Pantavisor. First, move the etc directory created in the above two steps inside the nginx directory under _config:
mkdir -p _config/nginx
mv <prep_dir>/etc _config/nginxStep 4 – Add NGINX as an app to your device
Create a directory named nginx in your cloned device’s directory with a file named src.json. The content of src.json should look something like below.
Note: The below configuration for nginx is for x86_64, please use a different Docker digest if you are using a different architecture.
{
"#spec":"service-manifest-src@1",
"args":{},
"config":{},
"docker_digest":"registry.hub.docker.com/library/nginx@sha256:ee5a9b68e8d4a4b8b48318ff08ad5489bd1ce52b357bf48c511968a302bc347b",
"docker_name":"registry.hub.docker.com/library/nginx",
"docker_source":"remote,local",
"docker_tag":"amd64",
"persistence":{},
"template":"builtin-lxc-docker"
}Step 5 – Install Nginx and post a new revision
pvr app install nginx #Install Nginx
pvr add .
pvr commit
pvr postRun the image with QEMU for X86_64
Refer to this post that describes how to run Pantavisor image on QEMU.
We need to use the following ports on host machine, though we can use any other host machine ports but to keep things simpler it’s better to map the host and QEMU ports 1:1, i.e host port 80 mapped to QEMU port 80 etc.
- Port 80 is used by Nextcloud container which is using Apache Webserver.
- Port 443 is used by nginx container.
- Port 8022 is used by pvr-sdk to allow ssh sessions.
From a web browser, to your Machine’s IP address where QEMU is running. Let’s say your machine’s IP is 10.0.0.102. You should then point your browser to https://10.0.0.102
NOTE: Since you’re using a self-signed certificate, the browser will show you a warning that certificate’s authenticity can’t be guaranteed. You can ignore that warning and proceed to install Nextcloud.
After you’ve installed Nextcloud you should be able to see a page like shown below. As can be seen, the certificate is the same one as we configured and then made it available via _config/nginx
Final Thoughts
Check out the new Pantavisor Discussion Forum and community website for Pantavisor Linux at pantavisor.io. You’ll find new tutorials as well as an introduction to Pantabox our front-end for managing Pantavisor Linux locally on the device.